Is HIPAA waived during natural disasters?

HIPAA is not waived during natural disasters, and healthcare organizations must still comply with HIPAA regulations. 

However, the Department of Health and Human Services (HHS) recognizes the need for flexibility during disasters to ensure patient safety and continuity of care. In these specific circumstances, the HHS Secretary may declare a public health emergency and exercise the authority to waive PHI without patient authorization. These waivers are temporary and limited to certain geographic areas and timeframes and are intended to facilitate healthcare services and emergency response efforts.

Legal framework

The legal foundation for these measures is established in Section 1135 of the Social Security Act, which grants the authority to make exceptions or adjustments to specific healthcare requirements in emergency situations. 

As stated by the HHS, "If the President declares an emergency or disaster and the Secretary declares a public health emergency, the Secretary may waive sanctions and penalties against a covered hospital that does not comply with certain provisions of the HIPAA Privacy Rule:"

The HIPAA waivers are deliberately designed to be limited in extent, with a particular focus on addressing the unique circumstances of the emergency at hand.

HIPAA waivers and disclosures

During a declared public health emergency, healthcare providers may be permitted to disclose protected health information (PHI) without patient authorization for the following purposes:

• Treatment: Healthcare providers may share patient information with other providers involved in an individual's care to ensure appropriate treatment and continuity of care.
• Public health activities: Sharing PHI with public health authorities can assist in tracking and preventing the spread of diseases and coordinating emergency response efforts.
• Law enforcement: Disclosures may be allowed to aid law enforcement in locating individuals in disaster-affected areas or investigating public safety concerns.
• Family and friends: Healthcare providers can disclose patient information to family members, friends, or others involved in the individual's care if it is in the patient's best interest.

It's important to note that these disclosures are subject to specific conditions and restrictions to maintain patient privacy and public health needs.

Safeguarding PHI during natural disasters

While HIPAA waivers provide some flexibility during natural disasters, healthcare organizations must still take steps to safeguard PHI and maintain compliance, such as: 

1. Emergency preparedness plans: Healthcare organizations should have emergency preparedness plans prepared, outlining procedures for protecting PHI, maintaining communication channels, and ensuring continuity of care during emergencies.
2. Secure infrastructure and data backup: Technical safeguards like firewalls, encryption, and access controls should be implemented to protect electronic PHI (ePHI). Regular data backups and offsite storage ensure data availability and prevent loss in case of on-site system damage.
3. Communication and collaboration: Establish clear lines of communication and protocols for sharing PHI securely among healthcare providers, emergency responders, and public health authorities. This may involve encrypted email communication, virtual private networks (VPNs), or secure messaging platforms.
4. Patient consent and authorization: While some disclosures are allowed without patient consent during emergencies, healthcare organizations should aim to obtain patient consent whenever possible. Clear documentation of consent or authorization ensures transparency and respects patient autonomy.
5. Ongoing risk assessments and compliance reviews: Regular risk assessments identify vulnerabilities, and compliance reviews ensure adherence to HIPAA regulations. Assessments and reviews should cover response plans, physical security measures, administrative policies, and technical safeguards.

In the news

Following Hurricane Idalia in Florida and the Maui wildfires, President Biden and HHS Secretary Becerra declared a state of emergency and public health emergency in both locations, responding to significant losses. 

These declarations led to various actions, including waiving HIPAA regulations to enhance crisis response, allowing healthcare providers greater flexibility in patient care without compromising privacy and security standards. 

While these measures grant more flexibility in emergency healthcare and natural disasters, they are temporary and do not exempt providers from privacy laws; they serve to improve crisis response.

Go deeper:

• Limited waiver of HIPAA sanctions in Florida
• Hawaii wildfires prompt limited waiver of HIPAA sanctions